So­cial en­gi­neer­ing

So­cial at­tacks are just as ef­fec­tive at get­ting priv­i­leged in­for­ma­tion as com­pli­cated zero-day ex­ploits or care­fully crafted phish­ing scams.

APC Australia - - Feature / Hacker Secrets -

By now most peo­ple are aware of the run-of-the-mill, tech-sup­port phone scams where marks are tricked into giv­ing re­mote ac­cess to a caller, who can then in­stall key­log­gers and har­vest bank de­tails, pass­words or ad­dress books to use in fur­ther at­tacks. How­ever, other forms of at­tack are pos­si­ble. For ex­am­ple, in the at­tack on Red­dit’s servers re­ported at the be­gin­ning of Au­gust 2018, at­tack­ers were able to de­feat SMS-based two-fac­tor au­then­ti­ca­tion (2FA) on ad­min’s ac­counts, partly by known weak­nesses in the cel­lu­lar net­work, and partly through Ver­i­fi­ca­tion Code For­ward­ing At­tacks (VCFA). By send­ing a le­git­i­mate-look­ing mes­sage that asks the user to re­send the 2FA to­ken sent by the provider, the at­tack­ers get ac­cess.

So­cial at­tacks are much more ef­fi­ca­cious the more is known about the vic­tim. Crim­i­nals will of­ten spend time to sleuthing high-pro­file tar­gets and cus­tomis­ing their at­tack. This prac­tice is known as ‘whal­ing’, in con­trast to the more stan­dard ‘phish­ing’. Most peo­ple have some kind of a web pres­ence these days, even if they’ve locked down their so­cial me­dia ac­counts. Look­ing through pub­lic in­for­ma­tion sources is known as Open Source In­tel­li­gence (OSINT). Dili­gent OSINT takes time and ef­fort, but the pop­u­lar Mal­tego can au­to­mate this process. By us­ing a va­ri­ety of data sources (‘trans­forms’) from the Sho­dan server search en­gine, to the blockchain, to Twit­ter posts and GeoIP data­bases, all kinds of re­la­tion­ships can be de­duced.

Mal­tego will gen­er­ate graphs that re­veal hid­den con­nec­tions in open source data.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.